Redmine

Now that many admins deploy Redmine using Apache + Phusion Passenger a.k.a. mod_rails or modrails, it makes sense to add .htaccess files to protect the non-public parts of Redmine from inadvertent/malicious download. Here's why:

If we use the Passenger sub-URI method to deploy Redmine, i.e. we simply copy a fresh distribution of Redmine anywhere under Apache's web document root, unless precautions are taken, we expose private files to download, e.g. config/database.yml

By my count, there are 13 first-level directories that would benefit from .htaccess protection: { app/ config/ db/ doc/ extra/ files/ lang/ lib/ log/ script/ test/ tmp/ vendor/ }

For each of those, you could add an .htaccess file (e.g. config/.htaccess) looking like this:

order deny,allow
deny from all